In the early 2000s, web hosts appeared, and successive innovations led to the creation of the cloud. The cloud is a system that allows you to store your data on remote computers – called servers – that are only accessible via the Internet. It represents the new trend in data storage. The cloud has a number of benefits for users, including the fact that they no longer need a large amount of physical storage, which is convenient for our nomadic connected devices and their limited storage capacity. In addition, the cloud has introduced implicit data backup. Once stored in the cloud, we can retrieve our data from it. It is for these advantages among others that private users, companies but also associations or authorities use it to collect their data. However, not all these users have the same relationship to the data.
Indeed, nowadays the United States is establishing itself as a hegemonic player with regard to data retention. The GAFAMs reign in this world of the cloud and offer to the United States a possible access to billions of confidential and personal information. In fact, the United States is establishing itself as a hegemonic player with regard to data retention. The GAFAMs reign in this cloud world and offer the United States possible access to billions of confidential and personal information. We must remain vigilant: the cloud puts problems with regard to the use of data. Who guarantees that it will not be used or resold for commercial purposes? There is also a problem with the security of this device. The United States, which hosts most of the world’s large data centres, can perfectly well, under the Patriot Act – a set of anti-terrorist measures – access data stored by a US-based provider, even on European areas.
We must be all the more vigilant since the Cloud Act – Clarifying Lawful Overseas Use of Data Act – adopted in 2018 increases the power of the US government with respect to third party data. It forces US technology companies to give the authorities access to their data in the course of an investigation, whether they are located on US servers or abroad. The Cloud Act also aims to facilitate the process by which a foreign government conducting an investigation on its own citizens can request access to their data from US technology companies. While being supported by the new technology industry, the Cloud Act is far from unanimous. Several civil liberties organizations, including the American Civil Liberties Union, the Centre for Democracy & Technology and the Open Technology Institute denounce that the guarantees required by the Cloud Act to establish a bilateral agreement with another state are insufficient or imprecise. An authoritarian regime could thus forge an agreement with the United States and use the Cloud Act to increase its monitoring on its population. Two areas are therefore in the centre of the debate concerning the use of the Cloud: law and geopolitics.
What is the legislation regarding data?
The cloud Act was signed into law by President Trump on March 2018. This law has two main axes. First, it enables American intelligence agencies as well as American law enforcement officials to access foreign stored data. The American authorities can obtain every personal information such as recording, communications or any other information in or out of the US. Secondly, the Cloud Act allows the executive to sign bilateral treaties with foreign governments. The latter will have access to information of services providers without having to go on trial. However, such agreement only concerns countries that respect some criteria detailed in the Cloud Act. Finally, it is important to remind that this law originated in a case between the United States and the United Kingdom. The topic was whether law enforcement can enable the access to communication stored in Ireland. At that time, during the Microsoft Ireland case in February 2018, Microsoft actually warned of the effects of a law such as the Cloud Act. In fact, the country denounced that such law could allow every country to demand access to some data for the reason that the provider has to respond by the law of the country. Furthermore, they believed that it would reduce privacy rights for all by creating a world where most country who have a convenient law could access to any data stored elsewhere.
This law remains blurry on many aspects. That is why it is questioned. In fact, this law was supposed to apply to criminal investigations, but it has also been said that this would be used for maintaining public order which a larger notion. Furthermore, the Cloud Act seems to be contradictory with the European data protection law – the General Data Protection Regulation (GDPR) – implemented in May 2018. In fact, the latter enacted that no personal data would be share unless there is an international agreement on the matter. The GDPR has three axes. Making the companies aware of their responsibility regarding data protection – Notions of privacy by design and privacy by default – Joint responsibility of the subcontractors. This law is a collective response from the UE, but this answer may not be enough regarding the US legislation. Companies should need to use service providers that are referring to the same law system than their companies. Emma Hanoun, a French lawyer in digital law, argued the extraterritoriality of the Cloud Act is harming the states sovereignty regarding their data. In fact, according to her, the GDPR is a law that forces every companies that collect European citizen’s data to comply with EU’s rules whereas the Cloud Act provides a legal framework allowing American authorities to force service providers and American companies to give one user’s data no matter what nationality he is.
The difference between the two laws could be explained by existence of two different models according to Emma Hanoun. On the one hand, she highlighted that the European model is based on the idea that privacy is a fundamental right and that the data regulation put the individuals at the core of the reflexion to protect their rights. It also has to be said that the GDPR is a general law that ensure equal protection for every European Union individual. On the other hand, the American model is more oriented on a capitalistic and commercial approach according to her. Thus, data is a new economy and this is why there is no general law on personal data protection but solely on certain types of data such as financial or health data. This can explain why the European Union offers a more strict and efficient protection regarding personal data than the American system.
Europe’s solutions to circumvent US legislation
Faced with the potential threat posed by the United States, France and Europe must react so as not to compromise sensitive data to government institutions or businesses. Therefore Bruno le Maire, the French Minister of Economy, announced in April 2019 that he wants to create a national sovereign cloud, his goal being to counter the Cloud Act implemented in 2018. He justifies his choice by accusing the American text of being « a breach of sovereignty that is simply not acceptable ». There is already a « SecNumCloud » qualification issued by a state organism « ANSSI » which certifies the security of data stored in a cloud. Compliance with the « SecNumCloud » standard makes it possible to guarantee an optimal level of security and to ensure that an incident during data storage or processing has a limited consequence for a company.
At the beginning of 2019, Oodrive became the first player to benefit from this qualification, demonstrating that a secure French cloud exists. However, Oodrive is not sufficiently developed to accommodate the data of all French companies, which poses a problem. Indeed, obtaining SecNumCloud qualification is very difficult because the rules for obtaining it are strict and the requirements are high. That is why another solution needs to be considered, on a larger scale, at European level. In October 2019, Germany, supported by France, announced its intention to develop a European cloud called Gaia-X. Angela Merkel justifies her choice by declaring a considerable delay in this area vis-à-vis the United States, which leads to a dependence that can be harmful in the long term for our transatlantic relations. To this end, Germany and France will work hand in hand to initially create a European cooperative society which must define « the references, standards and criteria for certifications » as early as spring 2020, with the start of operations envisaged at the end of 2020.
The European cloud seems to be a better solution than a French cloud, thanks in particular to the sharing of Franco-German know-how and the higher financing capacity. If we want to be able to compete with a country such as the United States in an area in which they excel, we need to bring ourselves up to their level in terms of resources. However, one detail stands in the way of this project: the European Commission. It has announced that « any such project will have to comply with EU competition and public procurement rules ». Until such time as we develop a European cloud that would bring us independence from the United States on the one hand, but also protection for our sensitive data, it is necessary to maintain good relations with our ally of several centuries, the United States. This trend towards cooperation between the two states has been growing steadily from 1945 to the present day. By deciding to engage in the Second World War, the United States moved from a unilateralist to a multilateralist policy. This policy reached its peak with the presidency of Barack Obama but has been in decline since Donald Trump came to power on 20 January 2017. This new policy of the American billionaire is driving the United States away from Europe, which does not bode well for the security of our data. It is therefore imperative to look ahead to the US presidential election that will take place on November 3, 2020, which will strongly influence the future of the cloud.
Thus, the Cloud appears to be a legal brain teaser. As we could saw in our second interview, many companies are reluctant to use it because they fear a security breach that they could not defend with law. And yet, they must make a choice. The cloud technology will soon be at the basis of huge economic gains. Nonetheless, as stated by Julien Chièze, a French journalist, this topic remains sensitive. Last week, many video game publishers withdrew their license from Stadia, Google’s cloud gaming platform, due to contract issues. Such a situation leads us to believe that if the cloud seems to be a tool for the future of our daily lives, it brings with it many changes that will have to be made little by little to ensure a good transition.